On 10/10/10, My Little Pony started to appeal to adult males. Ya rly!Forget the /b/ memes, and go watch the show and see what I mean. After all, the /b/ memes exist because the show itself is so cleverly written. Check it out!

jpk wrote:Oh, no... now we're going to have a bunch of people resorting to easily guessed passwords because they think Randall said so...

(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

I think he's just trolling us. To be honest, you could always include a random character somewhere to screw it up.

"correct pony ba|ttery staple"

Boom, now the algorithm won't see it.

On 10/10/10, My Little Pony started to appeal to adult males. Ya rly!Forget the /b/ memes, and go watch the show and see what I mean. After all, the /b/ memes exist because the show itself is so cleverly written. Check it out!

I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal). As long as your pissed off friend/boy/girlfriend can’t get into something that’s important to you by typing “password”. Honestly, how many people want to mess-up your xkcd forum account? The password is only there so someone can’t, on a complete whim, decide to be you.(but if you like making nerdy arch-enemies, watch out)

On an unrelated note my friend has had a 42-letter password for his laptop for years. Apparently he's far ahead of the game.

My employer (who shall remain nameless) has somewhat silly password requirements. Exactly 8 characters, only numbers and lowercase letters. Which (at 1000 guesses/sec) would take up to 89.4 years if it were completely random, but it rarely is. Luckily we require a PGP pass phrase to turn the computer on, but the account passwords on their own aren't terribly secure

Haha, I liked this one. My passwords are somewhere in between, in that they have at least one number and capital letter, but they're also composed out of somewhat meaningful couple of words. It's not like any of my accounts are worth the time it would take to guess the password, though.

Alex-J wrote:I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal).

Do you really think J. Random Loser actually uses a more secure password for their gmail account than they do for their xkcd forum account? I don't. And guess how much trouble I could get into if I have your primary email account... the one that all of your other accounts send password resets to...

Well the the gibberish is not that hard to remember if you use the same one for 10+ years.Never to change it even that skeezy website emailed it back to you in plaintext, or that time you had a virus. And use it on every website you visit, from your bank to facebook, to HotChicksEatingIceCeamInThePool.com

My standard disclaimer about the strength of passwords is that no matter how strong it may be algorithmically, a password is immediately weak once it's used as an example of a strong password (which I expect means I am "explaining the joke" of Drooling Iguana's post). Particularly if you have draconian password requirements on a system, and so have to demonstrate a kind of password that will fit the rules - for a big enough system, I can practically guarantee that a sizeable number of users will take that example password and use it.

Personally, I have a sucky password for things like forums (which I could care less if they got hacked), I have a moderate password for things like personal info without credit card data, and then I have a mecha-sheeva password for all things financial.

By the way using the ~2^44 is way less secure than actually using an 8 character password that is more random than a simple character appending and substitution. If you make an anagram of a phrase you like, make it upper and lower case, add numbers and symbols in random places, it's far more secure than a common english word mash-up. Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

Having done some brute force password cracking this comic isn't truthful to real life from my experience. When brute forcing a password you can do various types of attacks but the larger the pool of characters for each character of a password, the higher total # of password possibilities. Example. A 5 character all lower case password provides 11,881,376 possibilities whereas a 5 character password using upper case, lower case and 0-9 produces 916,132,832 possibilities. That password would be potentially 77.10 times harder to crack using brute force methods than first example.

Alex-J wrote:I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal).

Do you really think J. Random Loser actually uses a more secure password for their gmail account than they do for their xkcd forum account? I don't. And guess how much trouble I could get into if I have your primary email account... the one that all of your other accounts send password resets to...

Most things that are important to me (ie: not my robozzle account) when asked to reset my password require you to answer one of those security questions you had to make when you created your account.

1). Most sites have a maximum password length, somewhere in the 10-15 character range. If you're lucky, the password will get truncated when it is set AND when you enter it, so you won't even notice that the extra bits are falling on the floor. Some sites *cough* NewEgg *cough* will truncate when you set the password but WON'T truncate when you enter it, so when you type EXTRA characters, it thinks your password is wrong. Irritating

2). A complex password with few characters is hard to remember (at first), but really fast to type when you get used to it. If you lock your screen every time you leave your desk, you're going to get pretty sick of typing a paragraph about horse batteries.

3). A lot of places will require capital, lowercase, numbers, and symbols anyway.

So why 11 bytes per word regardless of the word length? The password I use for higher security things is a 30 letter sentence - I was wondering how long the brute force calculation for that would take, but without a consistent bytes-per-letter, I can't calculate it.

Most sites have a maximum password length, somewhere in the 10-15 character range.

Those sites piss me the hell off! Like you wouldn't believe how much they piss me the hell off!

On 10/10/10, My Little Pony started to appeal to adult males. Ya rly!Forget the /b/ memes, and go watch the show and see what I mean. After all, the /b/ memes exist because the show itself is so cleverly written. Check it out!

I think the best idea along these lines is the first letter of each word in a phrase. It's easy to remember and isn't susceptible to a dictionary attack that concatenates words. Make up a simple algorithm to make it unique to the website, like placing the length of the site's name and its last character at the third position, and you're golden.

phrase: Everything should be made as simple as possible, but not simpler.site: xkcdpassword: esb4dmasapbns

The only problem with this is when sites require you to use numbers, odd characters, mixed case, and so on. Passwords would be a lot easier to generate if every site had the same requirements - or if they just accepted anything and let the consequences be on the password owner's head.

I'd say a good yet easy to remember password is something like: bbbbbhunter2cccccddddd

entropy (in the sense generally used) is not really necessary, as long as most "bruteforcers" aren't trying to doof course, if it gets common to repeat many letters in a password, bruteforcers will start to try that, but even then it's not easy (how many letters? which ones? in which position? case sensitive?)

Just use KeePass. One don't-care password for your hardware, one high-power password for your KeePass database, and then max-length random passwords everywhere else (including your TrueCrypt volumes, of course). Doesn't even matter if they limit you to 8 characters; nobody ever tries high ASCII.

Rephistorch wrote:By the way using the ~2^44 is way less secure than actually using an 8 character password that is more random than a simple character appending and substitution.

One method that I used to use, and no longer use, was to pick a friend and interleave their name and phone number, or part of their phone number, ie if I have a friend Steve whose number is 555-3592, it would be S3t5e9v2e. This has two main advantages:1) The pattern generated has semantic content for me - I can't forget the two elements that make it up, and they are strongly associated for me. In addition, I don't have any trouble typing interleaved words, so it's hard for me to mistype.2) Part of the pattern is arbitrary: there isn't enough data to recover the phone number part unless you know me and start guessing at which friend is the key for this password.

It's also difficult to target in a dictionary attack, unless it becomes common enough that it's worth targetting this pattern, in which case it's no better than friend's name plus some digits, which is pretty bad. (how many names would exhaust 80% of the English-language namespace? around 100? That number * 10^5 is the size of your search space. That's tiny.)

Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.

jpk wrote: Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.

Which is of course what I meant. It's pretty easy to memorize if you type it often enough and maybe even create a mnemonic for yourself. I actually don't think anything can ever be truly random, but possibly so improbable to predict as to be as close as you're gonna get.

Rashkavar wrote:So why 11 bytes per word regardless of the word length? The password I use for higher security things is a 30 letter sentence - I was wondering how long the brute force calculation for that would take, but without a consistent bytes-per-letter, I can't calculate it.

I guess the assumption is that you are choosing it from a list of around 2000 random words and the attacker has access to the same list, and first searches only for pure (unsubstituted) English words off that list. It isn't a realistic scenario, but maybe a reasonable worst-case one.

jpk wrote:One method that I used to use, and no longer use, was to pick a friend and interleave their name and phone number, or part of their phone number, ie if I have a friend Steve whose number is 555-3592, it would be S3t5e9v2e. This has two main advantages:1) The pattern generated has semantic content for me - I can't forget the two elements that make it up, and they are strongly associated for me. In addition, I don't have any trouble typing interleaved words, so it's hard for me to mistype.2) Part of the pattern is arbitrary: there isn't enough data to recover the phone number part unless you know me and start guessing at which friend is the key for this password.

It's also difficult to target in a dictionary attack, unless it becomes common enough that it's worth targetting this pattern, in which case it's no better than friend's name plus some digits, which is pretty bad. (how many names would exhaust 80% of the English-language namespace? around 100? That number * 10^5 is the size of your search space. That's tiny.)

Most dictionary attacks now routinely include interleaving words or words and numbers. However, it still does increase the sample space considerably.

And really, how secure is Tr0ub4dor&3 when you use it for every site, like many people do? (http://xkcd.com/792/)(#792 actually made me decide to revise my passwords to all the sites I visit at least somewhat frequently. Now, I use a different password for almost every site, and they consist of interspersed letters, numbers, and punctuation. In fact, they look a lot like troubador over there. And yes, I do remember them all )

jpk wrote:(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

I think the point is that both passwords are based on simple formulae, as are the programs used to crack them, and that even if the second formula became the new common one, it would still be really tough to crack compared to the first. Trying every word in the English language once is one thing, but getting the right four in the right order would require [total number of words]^4 guesses. So if, for example, there were only 1,000 words to pick from, and it took one second to run through them all as Randall assumes, guessing any four in any order would take 1,000,000,000 seconds — over 30 years. Fun how permutations work, eh?

Rephistorch wrote:Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

Yep. That's what I've been doing since I was a kid. I even wrote an app to generate such strings automatically, with a switch to disable keyboard characters if some stupid website refuses to accept them. Also, that would actually be 68^8 on a US English keyboard.

cephalopod9 wrote:Only on Xkcd can you start a topic involving Hitler and people spend the better part of half a dozen pages arguing about the quality of Operating Systems.

I've got some good password memorization skills. Mostly, I have important passwords for things that have my debit card number and other sensitive info, an unimportant password for everything else, and an old password for things that bitch at punctuation and longer than 8-12 chars. Yeah, all my uni records are under an old password. No, I'm not sharing. No, I'm not sharing my FB password because I also use it for Twitter.

Also Correct Horse Battery Staple sounds like an indie band naem.

frezik wrote:Anti-photons move at the speed of dark

DemonDeluxe wrote:Paying to have laws written that allow you to do what you want, is a lot cheaper than paying off the judge every time you want to get away with something shady.

jpk wrote: Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.

Which is of course what I meant. It's pretty easy to memorize if you type it often enough and maybe even create a mnemonic for yourself. I actually don't think anything can ever be truly random, but possibly so improbable to predict as to be as close as you're gonna get.

I figured that was what you meant, just wanted to confirm. I've always figured the correct way to handle passwords is to give people a handful of strong generated passwords to choose from, and let them learn them. Then, don't make them change them over and over, let them actually learn them. Changing passwords for security only makes sense if you know the password has been cracked. Changing the password every three months (or whatever) is idiotic: it enforces weak passwords, and no cracker is going to spend weeks on your password, so at any given time, they're dealing with only one (weak) password, unless you happen to hit it lucky and hit the three-month change while they're actually running their brute-force attack. Moronic.

phrase: Everything should be made as simple as possible, but not simpler.site: xkcdpassword: esb4dmasapbns

The only problem with this is when sites require you to use numbers, odd characters, mixed case, and so on.

That's the method I recommend to friends and family. If the site requires odd characters, just do what you did for the number - capitalize the nth letter, and toss a # or & in next to the number and you have most cases covered.

Problem is, after explaining this to friends and family, I find they still use the simple 1-word or 1-word + number method. I'm starting to think a password generator like KeePass or the ones that come with fingerprint scanners are the only practical answer. People are not just resistant to hard-to-remember passwords, they're also resistant to hard-to-type passwords. The generators do the typing of the hard-to-type hard-to-remember for you, making it much more likely to be used.

Also keep in mind that you're supposed to use a different password for every site (or at least the important ones). My dad typed his password into a phising email, and unfortunately it was the password he used for everything including bank accounts. It took a few days to hit all the sites he could think of where he had accounts, and change every password. Having a different password for each account is still hard to do with memorized passwords. But using a generator makes it easy.

The main drawback of the generator in my experience is that if you lose access to the machine(s) with the generator installed, you're locked out of all your accounts. I keep my email as a memorized password, so worst-case I can reset the password on an account and get in that way.